Network Analysis Using Wireshark 2 Cookbook - Second Edition电子书

Title Page

Copyright and Credits

Network Analysis Using Wireshark 2 Cookbook Second Edition

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Sections

Getting ready

How to do it...

How it works...

There's more...

See also

Get in touch

Reviews

Introduction to Wireshark Version 2

Wireshark Version 2 basics

Locating Wireshark

Getting ready

How to do it...

Monitoring a server

Monitoring a router

Monitoring a firewall

Test access points and hubs

How it works...

There's more...

See also

Capturing data on virtual machines

Getting ready

How to do it...

Packet capture on a VM installed on a single hardware

Packet capture on a blade server

How it works...

Standard and distributed vSwitch

See also

Starting the capture of data

Getting ready

How to do it...

Capture on multiple interfaces

How to configure the interface you capture data from

Capture data to multiple files

Configure output parameters

Manage interfaces (under the Input tab)

Capture packets on a remote machine

Start capturing data – capture data on Linux/Unix machines

Collecting from a remote communication device

How it works...

There's more...

See also

Configuring the start window

Getting ready

The main menu

The main toolbar

Display filter toolbar

Status bar

How to do it...

Toolbars configuration

Main window configuration

Name resolution

Colorize packet list

Zoom

Mastering Wireshark for Network Troubleshooting

Introduction

Configuring the user interface, and global and protocol preferences

Getting ready

How to do it...

General appearance preferences

Layout preferences

Column preferences

Font and color preferences

Capture preferences

Filter expression preferences

Name resolution preferences

IPv4 preference configuration

TCP and UDP configuration

How it works...

There's more...

Importing and exporting files

Getting ready

How to do it...

Exporting an entire or partial file

Saving data in various formats

Printing data

How it works...

There's more...

Configuring coloring rules and navigation techniques

Getting ready

How to do it...

How it works...

See also

Using time values and summaries

Getting ready

How to do it...

How it works...

Building profiles for troubleshooting

Getting ready

How to do it...

How it works...

There's more...

See also

Using Capture Filters

Introduction

Configuring capture filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring Ethernet filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring hosts and network filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring TCP/UDP and port filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring compound filters

Getting ready

How to do it...

How it works...

There's more...

See also

Configuring byte offset and payload matching filters

Getting ready

How to do it...

How it works...

There's more...

See also

Using Display Filters

Introduction

Configuring display filters

Getting ready

How to do it...

How it works...

There's more...

Configuring Ethernet, ARP, host, and network filters

Getting ready

How to do it...

How it works...

See also

Configuring TCP/UDP filters

Getting ready

TCP and UDP port number display filters

TCP header filters

How to do it...

How it works...

There's more...

See also

Configuring specific protocol filters

Getting ready

How to do it...

HTTP display filters

DNS display filters

FTP display filters

How it works...

See also

Configuring substring operator filters

Getting ready

How to do it...

How it works...

Configuring macros

Getting ready

How to do it...

How it works...

Using Basic Statistics Tools

Introduction

Using the statistics – capture file properties menu

Getting ready

How to do it...

How it works...

There's more...

Using the statistics – resolved addresses

Getting ready

How to do it...

How it works...

There's more

Using the statistics – protocol hierarchy menu

Getting ready

How to do it...

How it works...

There's more...

Using the statistics – conversations menu

Getting ready

How to do it...

How it works...

There's more...

Using the statistics – endpoints menu

Getting ready

How to do it...

How it works...

There's more...

Using the statistics – HTTP menu

Getting ready

How to do it...

How it works...

There's more...

Configuring a flow graph for viewing TCP flows

Getting ready

How to do it...

How it works...

There's more...

Creating IP-based statistics

Getting ready

How to do it...

How it works...

There's more...

Using Advanced Statistics Tools

Introduction

Configuring I/O graphs with filters for measuring network performance issues

Getting ready

How to do it...

How it works...

There's more...

Throughput measurements with I/O graphs

Getting ready

How to do it...

Measuring download/upload traffic

Measuring several streams between two end devices

Measuring application throughput

Measuring a TCP stream with TCP event analysis

How it works...

There's more...

Advanced I/O graph configurations with y axis parameters

Getting ready

How to do it...

Monitoring inter-frame time delta statistics

Monitoring the number of TCP events in a stream

Monitoring the number of field appearances

How it works...

There's more...

Getting information through TCP stream graphs – time/sequence (Steven's) window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – time/sequences (TCP-trace) window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – throughput window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – round-trip-time window

Getting ready

How to do it...

How it works...

There's more...

Getting information through TCP stream graphs – window-scaling window

Getting ready

How to do it...

How it works...

There's more...

Using the Expert System

Introduction

The expert system window and how to use it for network troubleshooting

Getting ready

How to do it...

How it works...

There's more...

See also

Error events and what we can understand from them

Getting ready

How to do it...

How it works...

There's more...

See also

Warning events and what we can understand from them

Getting ready

How to do it...

How it works...

There's more...

See also

Note events and what we can understand from them

Getting ready

How to do it...

How it works...

There's more...

See also

Ethernet and LAN Switching

Introduction

Discovering broadcast and error storms

Getting ready

How to do it...

Spanning tree problems

A device that generates broadcasts

Fixed pattern broadcasts

How it works...

There's more...

See also

Analyzing spanning tree problems

Getting ready

How to do it...

Which STP version is running on the network?

Are there too many topology changes?

How it works...

Port states

There's more...

Analyzing VLANs and VLAN tagging issues

Getting ready

How to do it...

Monitoring traffic inside a VLAN

Viewing tagged frames going through a VLAN tagged port

How it works...

There's more...

See also

Wireless LAN

Skills learned

Introduction to wireless networks and standards

Understanding WLAN devices, protocols, and terminologies

Access point (AP)

Wireless LAN controller (WLC)

Wireless radio issues, analysis, and troubleshooting

Getting ready

How to do it...

Zero wireless connectivity

Poor or intermittent wireless connectivity

Capturing wireless LAN traffic

Capturing options

Getting ready

How to do it...

Wireless station not joining a specific SSID

Users not able to authenticate after successful association

There's more...

Network Layer Protocols and Operations

Introduction

The IPv4 principles of operations

IP addressing

IPv4 address resolution protocol operation and troubleshooting

Getting ready

How to do it...

ARP attacks and mitigations

ARP poisoning and man-in-the-middle attacks

Gratuitous ARP

ARP sweep-based DoS attacks

How it works...

ICMP – protocol operation, analysis, and troubleshooting

Getting ready

How to do it...

ICMP attacks and mitigations

ICMP flood attack

ICMP smurf attack

How it works...

Analyzing IPv4 unicast routing operations

Getting ready

How it works...

IP TTL failures and attacks

Duplicate IP addresses

Analyzing IP fragmentation failures

TCP path MTU discovery

How to do it...

Fragmentation-based attack

How it works...

IPv4 multicast routing operations

How it works...

There's more...

IPv6 principle of operations

IPv6 addressing

IPv6 extension headers

IPv6 extension headers and attacks

Getting ready

How to do it...

IPv6 fragmentation

How it works...

ICMPv6 – protocol operations, analysis, and troubleshooting

Getting ready

How to do it...

IPv6 auto configuration

Getting ready

How to do it...

How it works...

DHCPv6-based address assignment

Getting ready

How to do it...

How it works...

IPv6 neighbor discovery protocol operation and analysis

How to do it...

IPv6 duplicate address detection

How it works...

Transport Layer Protocol Analysis

Introduction

UDP principle of operation

UDP protocol analysis and troubleshooting

Getting ready

How to do it...

TCP principle of operation

Troubleshooting TCP connectivity problems

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting TCP retransmission issues

Getting ready

How to do it...

Case 1 – retransmissions to many destinations

Case 2 – retransmissions on a single connection

Case 3 – retransmission patterns

Case 4 – retransmission due to a non-responsive application

Case 5 - retransmission due to delayed variations

Finding out what it is

How it works...

Regular operation of the TCP sequence/acknowledge mechanism

What are TCP retransmissions and what do they cause?

There's more...

See also

TCP sliding window mechanism

Getting ready

How to do it...

How it works...

TCP enhancements – selective ACK and timestamps

Getting ready

How to do it...

TCP selective acknowledgement option

TCP timestamp option

How it works...

TCP selective acknowledgement

TCP timestamp

There's more...

Troubleshooting TCP throughput

Getting ready

How to do it...

How it works...

FTP, HTTP/1, and HTTP/2

Introduction

Analyzing FTP problems

Getting ready

How to do it...

How it works...

There's more...

Filtering HTTP traffic

Getting ready

How to do it...

How it works...

HTTP methods

Status codes

There's more...

Configuring HTTP preferences

Getting ready

How to do it...

Custom HTTP headers fields

How it works...

There's more...

Analyzing HTTP problems

Getting ready

How to do it...

How it works...

There's more...

Exporting HTTP objects

Getting ready

How to do it...

How it works...

There's more...

HTTP flow analysis

Getting ready

How to do it...

How it works...

There's more...

Analyzing HTTPS traffic – SSL/TLS basics

Getting ready

How to do it...

How it works...

There's more...

DNS Protocol Analysis

Introduction

Analyzing DNS record types

Getting ready

How to do it...

How it works...

SOA record

A resource record

AAAA resource record

CNAME resource record

There's more...

Analyzing regular DNS operations

Getting ready

How to do it...

How it works...

DNS server assignment

DNS operation

DNS namespace

The resolving process

There's more...

Analyzing DNSSEC regular operations

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting DNS performance

Getting ready

How to do it...

How it works...

There's more...

Analyzing Mail Protocols

Introduction

Normal operation of mail protocols

Getting ready

How to do it...

POP3 communications

IMAP communications

SMTP communications

How it works...

POP3

IMAP

SMTP

There's more...

SSL decryption in Wireshark

Analyzing POP, IMAP, and SMTP problems

Getting ready

How to do it...

How it works...

Filtering and analyzing different error codes

Getting ready

How to do it...

SMTP

IMAP

POP3

How it works...

There's more...

IMAP response code (RFC 5530)

POP3 response code (RFC 2449)

SMTP and SMTP error codes (RFC 3463)

Malicious and spam email analysis

Getting ready

How to do it...

How it works...

NetBIOS and SMB Protocol Analysis

Introduction

Understanding the NetBIOS protocol

Understanding the SMB protocol

How it works...

Analyzing problems in the NetBIOS/SMB protocols

Getting ready

How to do it...

General tests

Specific issues

There's more...

Example 1 – application freezing

Example 2 – broadcast storm caused by SMB

Analyzing the database traffic and common problems

Getting ready

How to do it...

How it works...

There's more...

Exporting SMB objects

Getting ready

How to do it...

How it works...

Analyzing Enterprise Applications' Behavior

Introduction

Finding out what is running over your network

Getting ready

How to do it...

There's more...

Analyzing Microsoft Terminal Server and Citrix communications problems

Getting ready

How to do it...

How it works...

There's more...

Analyzing the database traffic and common problems

Getting ready

How to do it...

How it works...

There's more...

Analyzing SNMP

Getting ready

How to do it...

Polling a managed device with a wrong SNMP version

Polling a managed device with a wrong MIB object ID (OID)

How it works...

There's more...

Troubleshooting SIP, Multimedia, and IP Telephony

Introduction

IP telephony principle and normal operation

Getting ready

How to do it...

RTP operation

RTCP operation

How it works...

RTP principles of operation

The RTCP principle of operation

SIP principle of operation, messages, and error codes

Getting ready

How to do it...

How it works...

1xx codes – provisional/informational

2xx codes – success

3xx codes – redirection

4xx codes – client error

5xx codes – server error

6xx codes – global failure

Video over IP and RTSP

Getting ready

How to do it...

How it works...

There's more...

Wireshark features for RTP stream analysis and filtering

Getting ready

How to do it...

How it works...

Wireshark feature for VoIP call replay

Getting ready

How to do it...

How it works...

There's more...

Troubleshooting Bandwidth and Delay Issues

Introduction

Measuring network bandwidth and application traffic

Getting ready

How to do it...

How it works...

There's more...

Measurement of jitter and delay using Wireshark

Getting ready

How to do it...

How it works...

There's more...

Analyzing network bottlenecks, issues, and troubleshooting

Getting ready

How to do it...

How it works...

There's more...

Security and Network Forensics

Introduction

Discovering unusual traffic patterns

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering MAC-based and ARP-based attacks

Getting ready

How to do it...

How it works...

There's more...

Discovering ICMP and TCP SYN/port scans

Getting ready

How to do it...

How it works...

There's more...

See also

Discovering DoS and DDoS attacks

Getting ready

How to do it...

How it works...

There's more...

Locating smart TCP attacks

Getting ready

How to do it

How it works...

There's more...

See also

Discovering brute force and application attacks

Getting ready

How to do it...

How it works...

There's more...